JetBrains IDE Plugins — 15 Malicious Add-ons Caught Stealing AI API Keys

AI relevance: This supply-chain attack specifically targets the AI development workflow — malicious IDE plugins harvest the OpenAI, Anthropic, and DeepSeek API keys developers paste into plugin settings, turning the trusted AI coding assistant into a credential exfiltration vector.

What happened

• 15 malicious JetBrains IDE plugins were published under seven separate vendor accounts on the JetBrains Marketplace, all sharing the same hidden behavior: exfiltrating the AI provider API key users paste into plugin settings.
• Combined installs reached approximately 70,000, though Aikido Security notes download counts may be inflated and fake five-star reviews were present on marketplace listings.
• The campaign has been active since late October 2025, with new malicious plugin variants still being published as recently as June 10, 2026.
• Each plugin poses as an AI coding assistant built on DeepSeek or similar LLMs, offering chat, commit messages, code review, and unit test generation — functionality that works exactly as advertised.
• The theft triggers the moment a user clicks "Apply" in settings: the handler stores the key locally and simultaneously forwards it via HTTP POST to a hardcoded server at 39.107.60[.]51, authenticated with a static token embedded in the plugin binary.
• A "paid tier" exists: after users pay a small fee through a donation wall, the attacker server sends back a working API key — possibly one stolen from another victim — turning the campaign into a key-reselling operation.

Why it matters

IDE plugins run unsandboxed inside the editor, with full access to source code, cloud credentials, signing keys, and now AI provider secrets. JetBrains' manual review process can be bypassed when malicious logic is buried inside an otherwise functional plugin. For AI ops teams, this means any developer on your team who installed one of these plugins has potentially exposed production API keys — keys that grant access to model inference, fine-tuning data, and in some cases, organizational billing.

What to do

• Audit your team's JetBrains installations for the affected plugins (listed in Aikido's full disclosure).
• Rotate any OpenAI, Anthropic, DeepSeek, or SiliconFlow API keys that were entered into unvetted IDE plugins.
• Monitor AI provider billing dashboards for unexpected usage spikes — stolen keys are often resold or burned for compute.
• Treat IDE plugins like any other dependency: vet the vendor, review the source if available, and avoid pasting long-lived secrets into tools you haven't audited.

Sources

• Aikido Security — Multiple JetBrains IDE plugins caught stealing AI keys
• GBHackers — JetBrains Plugin Security Alert: 70,000+ Installs Linked to AI Key Theft
• The Hacker News — Malicious JetBrains Plugins Steal AI API Keys
• Hackread — 15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys